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1 Overview 

Bedwyr is a generalization of logic programming that allows model checking di- 
rectly on syntactic expressions possibly containing bindings. This system, written 
in OCaml, is a direct implementation of two recent advances in the theory of 
proof search. The first is centered on the fact that both finite success and finite 
failure can be captured in the sequent calculus by incorporating inference rules 
for definitions that allow fixed points to be explored. As a result, proof search 
in such a sequent calculus can capture simple model checking problems as well 
as may and must behavior in operational semantics. The second is that higher- 
order abstract syntax is directly supported using term-level A-binders and the 
V quantifier. These features allow reasoning directly on expressions containing 
bound variables. 

2 Foundations 

The logical foundation of Bedwyr is the logic called LINC [12], an acronym for 
"lambda, induction, nabla, and co-induction" that is an enumeration of its major 
components. LINC extends intuitionistic logic in two directions. 

Fixed points via definitions. Clauses such as A = B are used to provide (mutu- 
ally) recursive definitions of atoms. Once a set V of such definition clauses has 
been fixed, LINC provides inference rules for introducing atomic formulas based 
on the idea of unfolding definitions. Unfolding on the right of the sequent arrow 
is specified by the following definition- right rule: 

S - r J~ BB A , provided A' = B e V and A'O = A. 
E : r h A 

This rule resembles backchaining in more conventional logic programming lan- 
guages. The definition-left rule is a case analysis justified by a closed-world read- 
ing of a definition. 

{E6 : re, BO h GO \ A' = B e V and e csu(A, A')} 
£ : T, A h G 



Notice that this rule uses unification: the eigcnvariables of the sequent (stored 
in the signature S) are instantiated by 9, which is a member of a complete set 
of unifiers (csu) for atoms A and A'. Bedwyr implements a subset of this rule 
that is restricted to higher-order pattern unification and, hence, to a case where 
csu can be replaced by mgu. If an atom on the left fails to unify with the head 
of any definition, the premise set of this inference rule is empty and, hence, the 
sequent is proved: thus, a unification failure is turned into a proof search success. 

Notice that this use of definitions as fixed points implies that logic specifi- 
cations are not treated as part of a theory from which conclusions are drawn. 
Instead, the proof system itself is parametrized by the logic specification. In 
this way, definitions remain fixed during proof search and the closed world as- 
sumption can be applied to the logic specification. For earlier references to this 
approach to fixed points see [3,11,4]. 

Nabla quantification. Bedwyr supports the X-tree syntax [6] approach to higher- 
order abstract syntax [9] by implementing a logic that provides (i) terms that 
may contain A-bindings, (ii) variables that can range over such terms, and 
(Hi) equality (and unification) that follows the rules of A-conversion. Bedwyr 
shares these attributes with systems such as AProlog. However, it additionally 
includes the V-quantifier that is needed to fully exploit the closed-world aspects 
of LINC. This quantifier can be read informally as "for a new variable" and is 
accommodated easily within the sequent calculus with the introduction of a new 
kind of local context scoped over formulas. We refer the reader to [7] for more 
details. We point out here, however, that V can always be given minimal scope 
by using the equivalences Vx.(Ax*Bx) = (Vx.Ax)*(SJx.Bx) where * may be D, 
A or V and the fact that V is self-dual: Wx.^Bx = -*Vx.Bx. When V is moved 
under V and 3, it raises the type of the quantified variable: in particular, in the 
equivalences VxMy.Fxy = VhVr..Fx(hx) and Vx3y.Fxy = 3hVx.Fx(hx), the 
variable y is replaced with a functional variable h. Finally, when V is scoped 
over equations, the equivalence Vx(Tx = Sx) = (Xx.Tx) = (Xx.Sx) allows it to 
be completely removed. As a result, no fundamentally new ideas are needed to 
implement V in a framework where A-term equality is supported. 

3 Architecture 

Bedwyr implements a fragment of LINC that is large enough to permit inter- 
esting applications of fixed points and V. In this fragment, all the left rules are 
invcrtiblc. Consequently, we can use a simple proof strategy that alternates be- 
tween left and right-rules, with the left-rules taking precedence over the right 
rules. 

Two provers. The fragment of LINC implemented in Bedwyr is given by the 
following grammar: 

LO ::= T | A \ LO A LO \ LO V LO | Vx. LO \ 3x. LO 

LI ::= T | A | LI A LI | LI V LI | Vx. LI \ 3x. LI | Vx. LI | LO D LI 



The formulas in this fragment are divided into level-0 formulas, given by LO 
above, and level-1 formulas, given by LI. Implicit in the above grammar is the 
partition of atoms into level-0 atoms and level-1 atoms. Restrictions apply to 
goal formulas and definitions: goal formulas can be level-0 or level-1 formulas, 

and in a definition A = B, A and B can be level-0 or level-1 formulas, provided 
that the level of A is greater than or equal to the level of B. 

Level-0 formulas are essentially a subset of goal formulas in AProlog (with 
V replacing V). Proof search for a defined atom of level-0 is thus the same as 
in AProlog (and Bcdwyr implements that fragment following the basic ideas 

described in [2]). We can think of a level-0 definition, say, px = B x, as defining 
a set of elements x satisfying B x. A successful proof search for pt means that 
t is in the set characterized by B. A level-1 statement like Vx.px D Rx would 
then mean that R holds for all elements of the set characterized by p. That is, 
this statement captures the enumeration of a model of p and its verification can 
be seen as a form of model checking. To reflect this operational reading of level-1 
implications, the proof search engine of Bedwyr uses two subprovers: the Level-0 
prover (a simplified AProlog engine), and the Level-1 prover. The latter is a usual 
depth-first goal-directed prover but with a novel treatment of implication. When 
the Level- 1 prover reaches the implication Ad B, it calls the Level-0 prover on 
A and gets in return a stream of answer substitutions: the Level-1 prover then 
checks that, for every substitution 9 in that stream, BO holds. In particular, if 
Level-0 finitely fails with A, the implication is proved. 

As with most depth-first implementations of proof search, Bcdwyr suffers 
from some aspects of incompleteness: for example, the prover can easily loop 
during a search although different choices of goal or clause ordering can lead to 
a proof, and certain kinds of unification problems should be delayed instead of 
attempted eagerly. For a more detailed account on the incompleteness issues, we 
refer the reader to [14] . Bedwyr does not currently implement static checking of 
types and the stratification of definitions (which is required in the cut-elimination 
proof for LINC). This allows us to experiment with a wider range of examples 
than those allowed by LINC. 

Higher- order pattern unification. We adapt the treatment of higher-order pat- 
tern unification due to Nadathur and Linnell [8]. This implementation uses the 
suspension calculus representation of A-terms. We avoid explicit raising, which is 
expensive, by representing V-bound variables by indices and associating a global 
and a local level annotation with other quantified variables. The global level 
replaces raising over existential and universal variables. The local level replaces 
raising over V-bound variables. For example, the scoping in MxBy.WnS/z.Fxynz 
is represented by the following annotation: Fx°'°Y 1 '°#oz 2 ' 1 (we use lowercase 
letters for universal variables, uppercase for existentials, the index #„ for the 
n-th V-bound variable, and write in superscript the annotation (global , local)) . 
Using this annotation scheme, the scoping aspects of V quantifiers are reflected 
into new conditions on local levels but the overall structure of the higher-order 
pattern unification problem and its mgu properties are preserved. 



Tabling. We introduced tabling in Bedwyr to cut-down exponential blowups 
caused by redundant computations and to detect loops during proof-search. The 
first optimization is critical for applications such as weak bisimulation checking. 
The second one proves useful when exploring reachability in a cyclic graph. 

Tabling is currently used in Bedwyr to experiment with proof search for 
inductive and co-inductive predicates. A loop over an inductive predicate that 
would otherwise cause a divergence can be categorized using tabling as a fail- 
ure. Similarly, in the co-inductive case, loops yield success. This interpretation 
of loops as failure or success is not part of the meta-theory of LINC. Its sound- 
ness is currently conjectured, although we do not see any inconsistency of this 
interpretation on the numerous examples that we tried. 

Inductive proof-search with tabling is implemented effectively in provcrs like 
XSB [10] using, for example, suspensions. The implementation of tables in Bed- 
wyr fits simply in the initial design of the prover but is much weaker. We only 
table a goal in Level- 1 when it docs not have free occurrences of variables in- 
troduced by an existential quantifier; and in Level-0 when it does not have any 
free variable occurrence. Nevertheless, this implementation of tabling has proved 
useful in several cases, ranging from graph examples to bisimulation. 

4 Examples 

We give here a brief description of the range of applications of Bedwyr. We refer 
the reader to http://slimmer.gforge.inria.fr/bedwyr and the user manual 
for Bedwyr [1] for more details about these and other examples. 

Finite failure. Let false be an atom that has no definition. Negation of a 
level-0 formula G can then be written as the level- 1 formula G D false and this 
negation is provable in the level- 1 prover if all attempts to prove G in the level-0 
prover fail. For example, the formula ^y[Xx.x = Xx.y D false] is a theorem: i.e., 
the identity abstraction is always different from a constant-valued abstraction. 

Model-checking. If the two predicates P and Q arc defined using Horn clauses, 
then the Level-1 prover is capable of attempting a proof of Vx. P x D Q x. 
This covers most (un)reachability checks common in model-checking. Related 
examples in the Bedwyr distribution include the verification of a 3 bits addition 
circuit and graph cyclicity checks. 

Games and strategies. Assuming that a transition in a game from position P 
to position P' can be described by a lcvel-0 formula step P P' then proving the 
level-1 atom win P defined by 

win P = VP', step P P' D 3P" . step P' P" A win P" 

will determine if there is a winning strategy from position P. If all win-atoms 
are tabled during proof search, the resulting table contains an actual winning 
strategy. 

A 

Simulation in process calculi. If the level-0 atom P ► Q specifies a one-step 

transition (process P does an A-action and results in process Q), then simulation 



can be written in Bcdwyr as follows [5]. 

sim P Q = VAVP'. P P' D 3Q'. Q Q' A sim P' Q' 

In dealing with the 7r-calculus, where bindings can occur within one-step transi- 
tions, there are two additional transitions that need to be encoded: in particular, 

ix -\x 

P P' and P P', for bound input and bound output transitions on 

channel X. In both of these cases, P is a process but P' is a name abstraction 
over a process. The full specification of (late, open) simulation for the 7r-calculus 
can be written using the following [7] . 

sim P Q = [VAVP' . P -i+ P 1 D3Q'.Q -i+ Q' A sim P' Q'\ A 

[VXVP' . P P' D 3Q'. Q Q 1 A Vw.sim (P'w) (Q'w)} A 

[VXVP' . P P' D 3Q'. Q Q 1 A Vw.sim (P'w) (Q'w)} 

Notice that the abstracted continuation resulting from bound input and bound 
output actions are treated by the V-quantifier and the V-quantifier, respectively. 
In a similar way, modal logics for the 7r-calculus can be captured [13]. If sim- 
atoms are tabled during proof search, the resulting table contains an actual sim- 
ulation. Bisimulation is easily captured by simply adding the symmetric clauses 
for all those used to define sim. 

Meta-level reasoning. Because Bedwyr uses the V quantifier and the A-tree 
approach to encoding syntax, it is possible to specify provability in an object 
logic and to reason to some extent about what is and is not provable. Consider 
the tiny fragment of intuitionistic logic with the universal quantifier V and the 
implication => in which we only allow atoms to the left of implications. If the 
formula Va;. (p x r => My. (p y s =4- p x t)) is provable in this logic then one 
would expect r and t to be syntactically equal terms. In searching for a proof 
of this formula, the quantified variables are replaced by distinct eigenvariables: 
therefore, the only way the formula could have been proved is for p x t to match 
p x r, hence r = t. Provability of a formula B from a list of atomic formulas L 
can be specified by the following meta-level (Bedwyr-level) judgment pv L B: 

pv L B = memo B L. pv L (VS) = Vs. pv L (Bx). 

pv L (A=> B) =pv (A :: L) B. 

Here, memb and :: are the usual predicate for list membership and the non-empty 
list constructor. Object-level eigenvariables are specified using the meta-level 
V-quantifier. The above observation about object-logic provability can now be 
stated in the meta-logic as the following formula, which is provable in Bcdwyr: 

VrVsVt. pv nil (Vx. (p x r => My. (p y s => p x t) j) D r = t. 



5 Future Work 



We are working on several improvements to Bedwyr, including more sophisti- 
cated tabling and allowing the suspension of goals containing non-highcr-order- 



pattern unification (rescheduling them when instantiations change them into 
higher-order pattern goals). We will also explore using tables as proof cer- 
tificates: for example, when proving that two processes are bisimilar, the ta- 
ble stores an actual bisimulation, the existence of which proves the bisimilar- 
ity. Bedwyr is an open source project: more details about it can be found at 
http : / / slimmer .gf orge . inria. fr /bedwyr/. 
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